Solved

Security issues with Front End Server in a DMZ?

Posted on 2004-03-23
10
379 Views
Last Modified: 2013-12-04
We currently have a Front End/Back End Exchange configuration which resides completely behind a firewall.  It seems we are having to evaluate the option of sticking the FE server out in the DMZ for direct access to POP, IMAP, etc.  

*Currently, all users access the corporate network via VPN for access to Exchange mail.  Performance (speed) and accessibility issues have been expressed by a number of our users when connecting in this manner.

If we were to only to open the secure ports ->
443 - HTTP (SSL)
993 - IMAP4 (SSL)
995 - POP3 (SSL)
...what are the obvious security risks?

 It appears to be a infrastructure design practice preached by MS and just need to be well-informed about any security before implementing.  The FE is NOT a GC and has no mailbox store mounted...

thanks for any insight!
0
Comment
Question by:davis
  • 7
  • 3
10 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10658902
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://www.onctek.com/trojanports.html

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10658924
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 125 total points
ID: 10658964
Improving the Security of PST Files
http://support.microsoft.com/default.aspx?scid=kb;en-us;143241

Downloading and Using the Security Configuration Manager Tool:
http://support.microsoft.com/default.aspx?scid=kb;en-us;245216

Stress Tools to Test Your Web Server:
http://support.microsoft.com/default.aspx?scid=kb;en-us;231282

WebCast: Using the Microsoft Security Tool Kit to Get and Stay Secure
http://support.microsoft.com/default.aspx?scid=kb;en-us;324892

Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/MBSAhome.asp

Maximum Windows 2000 Security
http://www.bookpool.com/.x/rmpdj26gor/sm/0672319659


0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 1

Author Comment

by:davis
ID: 10660267
Lots of good resources here - thanks!

To quote an excerpt from your 2nd posted link:
"Just about any firewall will allow packet and port filtering in order to protect your network and Exchange environment. While this is a good start for protecting your servers, it falls short of complete protection since you have to open ports to allow access to the data in your private network. For example, port 25 must be opened to allow for SMTP traffic, port 80 for HTTP."

...with the FE in a perimeter zone (between two firewalls), as shown in the diagram, is the internal network still at risk?  Unclear what can be at risk - the FE, the BE (back-end), or both.

thanks for any clarification!!
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10661444
I did'nt stydy it all, but the solution is here:

Microsoft Exchange 2000 Server Front-End and Back-End Topology
 Advantages of a Front-End and Back-End Server Environment
 How Front-end and Back-end Topology Works
 Deployment Considerations
 Scenarios
 Configuring a Front-End Server
 Configuring a Back-End Server
 Configuring Firewalls
 Front-end and Back-end Topology Checklist
 Front-end and Back-end Topology Troubleshooting Steps
 Additional Resources
http://www.microsoft.com/technet/prodtechnol/exchange/2000/maintain/e2kfront.mspx
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10661452
SoftScan puts an end to virus and spam threats from the Internet
http://www.softscan.dk/english/index.asp
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10661479
Remember to have a different/difficult password for the administrator on the FE server, than on the BE and the rest of your servers, and setup auditing on FE

HOW TO: Enable and Apply Security Auditing in Windows 2000 Server and Windows 2000 Professional:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech

Windows 2000 Server Security Guidelines - Audit acconts
http://www.colorado.edu/its/windows2000/adminguide/w2ksecguidelines.html#localpolicy

EMCO EventLog Audit collects the eventlog from the computers on the LAN, to a database
http://www.1000files.com/Utilities/Network/EMCO_EventLog_Audit_6132_Review.html
0
 
LVL 1

Author Comment

by:davis
ID: 10661513
I have used the 'maintain'article quite a bit  - kind of a bible.

I think I found the answer in the article you posted earlier : http://www.microsoft.com/technet/security/prodtech/mailexch/opsguide/e2ksec04.mspx

Also found elsewhere, it stated :
"For security reasons, you don't want to install a front-end server in a DMZ.
Why?  Because you have to open up a whole stack of ports between the
networks.  A much more secure solution is to have the FE server on the
internal network, with ISA Server in the DMZ publishing OWA."

I would imagine it would be sugested to run ISA or some other firewall that will do application proxy.  Something to scan the traffic on IMAP, SMTP, POP before passing on to the mailserver.

Thanks for your references!


0
 
LVL 1

Author Comment

by:davis
ID: 10661529
OOps - meant to Accept the one just above the one I actually accepted.

I found it much more concise and useful
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10661829
:o) Glad I could help you - thank you for the points
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question